WAN IPS + LAN Snort IDS: Signature events visible on both sides?

[Snort IPS via Snort-users <snort-users () lists snort org>]

I currently use snort as a backup IDS to inspect LAN traffic.  I find
myself in the unusual position that a commercial IPS that I have deployed
on the WAN side will identify signatures and label them as blocked, but our
Snort IDS on the LAN side sees the exact same signature events on our LAN
side.  I must be old, but I was certain that blocked traffic at our WAN
edge IPS system should NOT be visible by our internal LAN snort IDS.

The commercial IPS claims that a TCP reset flag is set to break the
connection to prevent the exploit payload from delivering, but I don't see
the flag within the same signature packet on the LAN side.

I don't know if I'm just stupid and unaware of this newer firewall
technique, or if the commercial IPS that we use is broken in some way
(intentional or otherwise).

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette